Third Party Payment - Reply link to update orders

[Guest]

Hi

 

I currently have installed OSC for a client, it has a third party payment system. With a return_link to the site once credit card details have been processed.

Recently some orders were not showing up in OSC, but were showing up in the Third Party Payment interface. Upon debugging I realised if users dont

go back to the site via the return link (closed there browser) -

 

www......./checkout_process.php?bank_reference=&card_type=&payment_amount=&payment_date=&payment_number=&remote_ip=

 

The orders would not be saved. There is a reply_link_url that the payment processor offers, which would dynamicaly update records without the user clicking, back to the site. However I can not figure out what Variables the checkout_processor.php page would need returned via the GET Query string.

 

In any case i do know its needs OsID, but can this be returned to the server from an external page, via the query string?

 

Thank You.

[Guest]

Ok I have found a solution to this. This solution is for OsCommerce users using the DirectOne payment module. It may seem a bit 'dirty' but its the most simplest method to get the orders to update on real time.

 

First duplicate the files checkout_process.php and application_top.php,

call checkout_process something like directone_process.php and application_top -> directone_top.php

 

Once that is done we need to change a few lines of code.

 

 

directone_top.php (Step One)

 

Completely remove the following lines of code

 

// verify the IP address if the feature is enabled
 if (SESSION_CHECK_IP_ADDRESS == 'True') {
$ip_address = tep_get_ip_address();
if (!tep_session_is_registered('SESSION_IP_ADDRESS')) {
  $SESSION_IP_ADDRESS = $ip_address;
  tep_session_register('SESSION_IP_ADDRESS');
}

if ($SESSION_IP_ADDRESS != $ip_address) {
  tep_session_destroy();
  tep_redirect(tep_href_link(FILENAME_LOGIN));
}
 }

 

Checking the ip address against a users session, is definately a good idea. However the problem with this is it will not allow the DirectOne server which is using a different ip then the one stored in users session to save and update the order, because of the code above. This why we are removing these lines. This is also why we duplicated the original application_top.php file, so as to keep this security feature for the rest of the site with the original file. But allow us to bypass this for the DirectOne server.

 

 

directone_process.php (Step Two)

 

Change the line

include('includes/application_top.php'); to be

include('includes/directone_top.php');

 

directone.php (Step Three)

Change line 84 from this

tep_draw_hidden_field('reply_link_url', MODULE_PAYMENT_DIRECTONE_REPLY_LINK_URL) .

to this

tep_draw_hidden_field('reply_link_url', MODULE_PAYMENT_DIRECTONE_REPLY_LINK_URL.'&osCsid='.tep_session_id() ) .

 

We need to pass the session variable to the DirectOne server back to our server when the reply_link_url is initiated via GET (On successful transaction)

 

Now log in to oscommerce, go to modules->payments->directone, and enter the "Reply Link" to be -

http://www.yourdomain.com/directone_proces...&remote_ip=

 

Testing

In directone test mode, log in as a customer, purchase product, checkout, select directone, then on the checkout confirmation page before it goes to DirectOne, check that you have a field thats looks like

 

<input type="hidden" name="reply_link_url" value="http://www.yourdomain.com/directone_process.php?bank_reference=&card_type=&payment_amount=&payment_date=&payment_number=&remote_ip=&osCsid=xxxxxxxxxxxxxxxxxxxxxx">

 

If it does great! submit test card numbers, upon confirmation, (without clicking on the return url) in the Oscommerce admin check to see if the order is there.

 

Security

Bypassing the ip_confirmation (step One) is generaly not a good idea, as this allows a hacker to steal someone elses shopping cart. What can be done which is a bit more secure is modify directone_top.php, to instead read

 

 

if ($ip_address != 'DirectOnes ip address') {

tep_session_destroy();

exit;

}

 

But I am not sure if the DirectOne ip address changes often.

 

Note: You could also turn off ip_checking completely configuration->sessions

 

Good Luck!

Edited December 10, 2008 by hypeweb

[MARC0]

Ok I have found a solution to this. This solution is for OsCommerce users using the DirectOne payment module. It may seem a bit 'dirty' but its the most simplest method to get the orders to update on real time.

 

First duplicate the files checkout_process.php and application_top.php,

call checkout_process something like directone_process.php and application_top -> directone_top.php

 

Once that is done we need to change a few lines of code.

 

 

directone_top.php (Step One)

 

Completely remove the following lines of code

 

// verify the IP address if the feature is enabled
 if (SESSION_CHECK_IP_ADDRESS == 'True') {
$ip_address = tep_get_ip_address();
if (!tep_session_is_registered('SESSION_IP_ADDRESS')) {
  $SESSION_IP_ADDRESS = $ip_address;
  tep_session_register('SESSION_IP_ADDRESS');
}

if ($SESSION_IP_ADDRESS != $ip_address) {
  tep_session_destroy();
  tep_redirect(tep_href_link(FILENAME_LOGIN));
}
 }

 

Checking the ip address against a users session, is definately a good idea. However the problem with this is it will not allow the DirectOne server which is using a different ip then the one stored in users session to save and update the order, because of the code above. This why we are removing these lines. This is also why we duplicated the original application_top.php file, so as to keep this security feature for the rest of the site with the original file. But allow us to bypass this for the DirectOne server.

 

 

directone_process.php (Step Two)

 

Change the line

include('includes/application_top.php'); to be

include('includes/directone_top.php');

 

directone.php (Step Three)

Change line 84 from this

 

to this

 

 

We need to pass the session variable to the DirectOne server back to our server when the reply_link_url is initiated via GET (On successful transaction)

 

Now log in to oscommerce, go to modules->payments->directone, and enter the "Reply Link" to be -

 

 

Testing

In directone test mode, log in as a customer, purchase product, checkout, select directone, then on the checkout confirmation page before it goes to DirectOne, check that you have a field thats looks like

 

<input type="hidden" name="reply_link_url" value="http://www.yourdomain.com/directone_process.php?bank_reference=&card_type=&payment_amount=&payment_date=&payment_number=&remote_ip=&osCsid=xxxxxxxxxxxxxxxxxxxxxx">

 

If it does great! submit test card numbers, upon confirmation, (without clicking on the return url) in the Oscommerce admin check to see if the order is there.

 

Security

Bypassing the ip_confirmation (step One) is generaly not a good idea, as this allows a hacker to steal someone elses shopping cart. What can be done which is a bit more secure is modify directone_top.php, to instead read

 

 

 

 

But I am not sure if the DirectOne ip address changes often.

 

Note: You could also turn off ip_checking completely configuration->sessions

 

Good Luck!

 

 

Hey thanks for this, i have been advised by directone that definitely looks like the fix to make sure that the reply_link_url updates the OsCommerce records successfully. ill try it now.